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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to becomo ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1)13 Responsive to communication(s) filed on 01 August 2005 . 
2a)S This action is FINAL. 2b)Q This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayie, 1 935 CD. 1 1 , 453 O.G. 21 3. 

Disposition of Claims 

4) (3 Claim(s) 1-52 is/are pending in the application. 

4a) Of the above claim(s) 3-32.34-48 and 50-52 is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) S Claim(s) 1,2,33 and 49 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Ciaim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) K The drawing(s) filed on 11 April 2001 is/are: a)(3 accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

11) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

, Priority under 35 U.S.C. § 1 1 9 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)Q None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 
Terminal Disclaimer 

1. The terminal disclaimer filed on 07/21/2005 disclaiming the terminal portion of any 
patent granted on this application which would extend beyond the expiration date of US Pat. 
Application No. 09/814178 has been reviewed and is accepted. The terminal disclaimer has been 
recorded. 

Response to Arguments 

2. Applicant's arguments filed 07/21/2005 have been fully considered but they are not 
persuasive. 

3. Applicant argues (pgs. 18-19 of remarks) the reference to Giniger does not disclose the 
limitation "providing, at the at least one processor and through the base network, code and 
information for configuring the first processor to interface the base network at the received base 
address" particularly emphasizing Giniger only discloses "...additional configuration 
information. . .related to routing and security policies" which does not qualify under "code and 
information". 

Examiner does not agree with this. Applicant's broad recitation of code and information 
in the claims are not further narrowed anywhere in the independent or dependent claims and 
thus, under the broadest reasonable interpretation of the claim language, is construed to be any 
data that partially or entirely configures the first processor to interface the base network. The 
"additional configuration information" provided by the management server (the at least one 
processor) clearly helps to configure the edge device (first processor), which is enough to read on 
the corresponding limitation. Further in Column 15, Giniger discloses the management server 
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determines which edge device should establish tunnels, and thus the edge device must receive 
information from the management server as to how the tunnel is established and where to tunnel 
leads (Column 15, lines 8-35; particularly noting that the management server "instructs" the edge 
device to establish a tunnel). Note particularly Fig. 1, element 1 15 being the tunnel that 
interfaces the base network (the internet). Furthermore, Giniger discloses the need for 
cryptography between devices, e.g., the use of session keys which are distributed by the 
management server 130 particularly the public keys used by the edge devices (Column 15, lines 
23+). The base address is administered by the server via a DHCP engine which assigns the IP 
address of each network element (Fig. 4, element 420) which also qualifies as "code and 
information" necessary to configure the edge device to interface the base network. 
4. Applicant contends (pg. 19 of remarks) that because the management server commands 
each of the edge devices to add a tunnel without the consent of the edge devices, Giniger fails to 
disclose the fifth limitation to claim 1, specifically enabling a tunnel based on consents sent by 
the first and second processors to the at least one processor. 

Examiner does not agree. While the management server does command the tunnel to be 
created between edge devices, the edge devices must allow authentication for secure 
communication via the tunnel before the tunnel can be operationally established. Giniger 
discloses this limitation based on the cryptography he employs. Per Column 15, lines 23-42 it is 
necessary to have secure connections via session keys, where the edge devices needs to generate 
session keys from the management server before the tunnel can be established (Column 15, lines 
35-40). This can be construed to be "consenting", since the management server first sends a 
command to create a tunnel (Column 15, line 35) where the edge devices consents by each 
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sending a request to the management server for generation of appropriate keys and subsequently 
the tunnel is established for communication (Column 15, line 36-39). 

Claim Rejections - 35 USC§102 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 35 1(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

5. Claims 1,2,33,49 are rejected under 35 U.S.C. 102(e) as being anticipated by Giniger et 
al. (Giniger). 

Per claim 1, note that the patent sets forth a method for providing network services in the 
form of the VPN between the nodes (i.e. Figure 1) using at least one processor (at the 
management server 130, as servers have at least one processor) interfacing the base network 
(Internet 100). 

At the at least one processor (130) receiving information identifying a user authorized to 
administer a first processor (i.e. one of the edge devices 1 10), which is separate from the server 
processor, in which information is at least the username and password per column 14, lines 63+. 
This identifies the user be authenticated prior to receiving more configuration information. 

A base address that is routable through the Internet is received at the at least one 
processor, for example, per the column 14, lines 25-38 discussion of the external and local IP 
addresses for the edge devicel 10 from a DHCP server at the POP 220 or from management 
server 130, thus requiring that the base address be received at the server 130. 

Code and information for configuring the first processor (1 10) to interface the base 
network at the received base address is seen as the column 15, lines 4-7, receiving of additional 
configuration information, such as related to routing and security policies from the server (130), 
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and such is thus provided at the management server (130) to the first processor (1 10) for 
configuring the first processor (110) via the base network. 

Once the additional information is in place at the edge device (1 10), it is used to 
ultimately determine which other edge devices should be included via tunnels over the base 
network. 

The end result is the enabling of a direct tunnel between two edge devices (110) per the 
detection of edge devices (1 10) by the management server (130), such that the management 
server (130) determines which other edge devices (110) the detected edge device (1 10) should be 
connected via a tunnel (115) to be established. The tunnel ultimately established (1 15) is 
through the base network (100) and connects two edge devices (1 10) wherein a consent is 
presented to the management server (130) from each of the edge devices (1 10) [per the column 
1 5, lines 8-42] via the commands to the edge devices to add the tunnel, as well as "the 
generation/receiving of session keys from the management server (130). 

Per claim 2, a firewall is provided at Figure 8. Note that the centralized firewall 830 
maintains tunnels to edge/network devices and is centrally managed by the management server 
(130), hence being provided by the management server (130). By definition, a firewall 
selectively restricts information flowing through/from an edge device (110/810) and the base 
network (100), as such is pointed out at the top of column 17 and the restricted access. 

Per claim 33, network services in the form of a VPN are provided, as discussed above. 

At least one site is provided at the management server (130) in the base network (100), 
wherein information is received in the form of the password and user na me (i.e. user 
information), as mentioned above. Code and other information is provided to the user in the 
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form of the above mentioned additional configuration information for self-configuring the edge 
device (110). The code is then executed with the result, as explained above, of a tunnel created 
between two edge devices under the auspices of the management server (130). Note that 
addresses, both local and external, per column 14, via the management server (130) or other 
methods. Per the use of the session keys, again under the auspices of the management server 
(130), a mutual consent is needed and detected in order to establish the desired tunnel between 
the edge devices (110). 

Per claim 49, the firewall (830) of Figure 8 is configured and controlled by the 
management server (130), which must have information about the edge devices in order for it to 
function as a firewall. 

Conclusion 

6. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 
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the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 



will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

1 1. This application contains claims 3-32, 34-48 and 50-52 drawn to an invention nonelected 
with traverse in Paper No. 12262004. A complete reply to the final rejection must include 
cancellation of nonelected claims or other appropriate action (37 CFR 1.144) See MPEP 
§821.01. 

12. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Alan S. Chen whose telephone number is 571-272-4143. The 
examiner can normally be reached on M-F 8:30am - 5:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Dov Popovici can be reached on (571) 272-4083. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-fnee)^ 
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